Claim Rule Name	LDAP Attribute	Outgoing Claim Type
<user-defined rule name>	User-Principal-Name	Name ID

Claim Rule Name

LDAP Attribute

Outgoing Claim Type

<user-defined rule name>

User-Principal-Name

Name ID

Claim Rule Name

Custom Rule

<user-defined rule name> e.g. nameDN

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]=> add(store = "Active Directory", types = ("nameDN"), query = ";distinguishedName;{0}", param = c.Value);

<user-defined rule name> e.g. DDAN_groups

c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]&& c2:[Type == "nameDN"]=> issue(store = "Active Directory", types = ("DDAN_groups"), query = "(member:1.2.840.113556.1.4.1941:={1});samaccountname;{0}", param = c1.Value, param = c2.Value);

Configuring ADFS as Security Assertion Markup Language (SAML) Identity Provider (IdP) for Deep Discovery Analyzer (DDAN)

Product / Version includes:

Deep Discovery Analyzer 6.9

Last updated: 2025/05/08

Solution ID: KA-0010639

Category: Configure

Summary

Starting from version 6.9, Deep Discovery Analyzer (DDAN) supports Security Assertion Markup Language (SAML) authentication standard to allow users to single sign-on (SSO) to Deep Discovery Analyzer console.

For more information, see SAML-Integration.

DDAN supports the Active Directory Federation Services (ADFS) identity provider.

For more information, see Configuring-ADFS.

Following the procedure provided, you can configure claim rules for each AD group that you want to grant access permission to DDAN. If you want to grant access to users in a child group and its associated parent group, you must create a rule each for the child group and parent group.

You can also configure customize claim rules. For more information, refer to the Microsoft technical documents under the References section of this KB and make sure that you set the outgoing claim type as DDAN_groups.

The following provides an example procedure to configure customize claim rules for all AD users/groups in DDAN_groups. Based on this configuration, you can further limit the single sign-on permission by configuring Access Control Policy settings and create SAML groups in DDAN.

Go to ADFS > Relying Party Trusts and select the created application for DDAN.
Right-click the application and select Edit Claim Issuance Policy....

The Edit Claim Issuance screen appears.
On the Issuance Transform Rules tab, select Add Rule...

Complete settings on each tab of the Add Transform Claim Rule Wizard screen:

On the Choose Rule Type tab, select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and click Next.
On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box (for example, ‘Name ID’) and select Active Directory from the Attribute store drop-down list.
Select the attribute and specify Name ID as the outgoing claim type for the attribute.
Click OK.

LDAP attribute

Claim Rule Name LDAP Attribute Outgoing Claim Type
<user-defined rule name> User-Principal-Name Name ID

Claim Rule Name	LDAP Attribute	Outgoing Claim Type
<user-defined rule name>	User-Principal-Name	Name ID

Create customize claim rules. Complete the following steps:

Click Add Rule....

The Add Transform Claim Rule Wizard screen appears.
On the Choose Rule Type tab, select Send Claims Using a Custom Rule from the Claim rule template drop-down list, and click Next.

The Configure Claim Rule tab appears.

On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box, and type the custom claims displayed in the following table.

Custom Rules

Claim Rule Name	Custom Rule
<user-defined rule name> e.g. nameDN	c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]=> add(store = "Active Directory", types = ("nameDN"), query = ";distinguishedName;{0}", param = c.Value);
<user-defined rule name> e.g. DDAN_groups	c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]&& c2:[Type == "nameDN"]=> issue(store = "Active Directory", types = ("DDAN_groups"), query = "(member:1.2.840.113556.1.4.1941:={1});samaccountname;{0}", param = c1.Value, param = c2.Value);

Click Apply and then click OK. Repeat to set all the claim rules.

All used schema inherited in ADFS

Name ID: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Username Attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname

References

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Configuring ADFS as Security Assertion Markup Language (SAML) Identity Provider (IdP) for Deep Discovery Analyzer (DDAN)

All used schema inherited in ADFS

References

Configuring ADFS as Security Assertion Markup Language (SAML) Identity Provider (IdP) for Deep Discovery Analyzer (DDAN)

Product / Version includes:

Summary

All used schema inherited in ADFS

References